<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
-->

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

   <description>
       JSPWiki is an open source JSP-based WikiClone.  It is licensed
       under the Apache 2.0 license.
       For more information, please come to http://jspwiki.apache.org/
   </description>
   <display-name>JSPWiki</display-name>

   <!--
   Supported starting from servlet specification 2.5
   Credit:  https://raibledesigns.com/rd/entry/trim_spaces_in_your_jsp1
   -->
   <jsp-config>
     <jsp-property-group>
       <url-pattern>*.jsp</url-pattern>
       <trim-directive-whitespaces>true</trim-directive-whitespaces>
     </jsp-property-group>
   </jsp-config>

   <!-- Resource bundle default location -->
   <context-param>
     <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
     <param-value>templates.default</param-value>
   </context-param>

   <!--
      WikiServletFilter defines a servlet filter which filters all requests. It was
      introduced in JSPWiki 2.4.

      In 2.7/2.8, the WikiServlet filter also performs an important security function:
      it sets authentication status based on container credentials. It should generally
      execute first. Note that if you configure a filter *before* this one that returns
      non-null values for getUserPrincipal() or getRemoteUser(), WikiSecurityFilter
      will pick the credentials up, and set the user's WikiSession state to
      "authenticated." WikiServletFilter will also set the WikiSession's' state
      to "authenticated" if preferences.ini property "jspwiki.cookieAuthentication"
      is set to true, and the user possesses the correct authentication cookie.

      Lastly, if preferences.ini property "jspwiki.cookieAssertions" is set to true,
      WikiServletFilter will also set WikiSession state to "asserted" if the user
      possesses the correct "assertion cookie."
   -->

   <filter>
      <filter-name>WikiServletFilter</filter-name>
      <filter-class>org.apache.wiki.ui.WikiServletFilter</filter-class>
   </filter>
   <filter>
      <filter-name>WikiJSPFilter</filter-name>
      <filter-class>org.apache.wiki.ui.WikiJSPFilter</filter-class>
   </filter>

   <filter-mapping>
       <filter-name>WikiServletFilter</filter-name>
       <url-pattern>/attach/*</url-pattern>
       <url-pattern>/atom/*</url-pattern>
       <url-pattern>/RPCU/</url-pattern>
       <url-pattern>/RPC2/</url-pattern>
   </filter-mapping>
   <filter-mapping>
       <filter-name>WikiJSPFilter</filter-name>
       <url-pattern>/wiki/*</url-pattern>
       <url-pattern>*.jsp</url-pattern>
   </filter-mapping>

   <!--
       HttpSessionListener used for managing WikiSession's.
     -->
   <listener>
      <listener-class>org.apache.wiki.auth.SessionMonitor</listener-class>
   </listener>

   <!-- servlet context listener to configure API's SPI -->
   <listener>
       <listener-class>org.apache.wiki.bootstrap.WikiBootstrapServletContextListener</listener-class>
   </listener>

   <!--
       Now, let's define the XML-RPC interfaces.  You probably don't have to
       touch these.

       First, we'll define the standard XML-RPC interface.
     -->
   <servlet>
       <servlet-name>XMLRPC</servlet-name>
       <servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class>
       <init-param>
           <param-name>handler</param-name>
           <param-value>org.apache.wiki.xmlrpc.RPCHandler</param-value>
       </init-param>

       <init-param>
           <param-name>prefix</param-name>
           <param-value>wiki</param-value>
       </init-param>
   </servlet>

   <!--
       OK, this then defines that our UTF-8 -capable server.
     -->

   <servlet>
       <servlet-name>XMLRPC-UTF8</servlet-name>
       <servlet-class>org.apache.wiki.xmlrpc.RPCServlet</servlet-class>
       <init-param>
           <param-name>handler</param-name>
           <param-value>org.apache.wiki.xmlrpc.RPCHandlerUTF8</param-value>
       </init-param>

       <init-param>
           <param-name>prefix</param-name>
           <param-value>wiki</param-value>
       </init-param>
   </servlet>

    <!-- WikiAjaxDispatcherServlet -->
    <servlet>
        <servlet-name>WikiAjaxDispatcherServlet</servlet-name>
        <servlet-class>org.apache.wiki.ajax.WikiAjaxDispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

   <!-- Atom Publishing Protocol -->
   <servlet>
       <servlet-name>ATOM</servlet-name>
       <servlet-class>org.apache.wiki.rpc.atom.AtomAPIServlet</servlet-class>
   </servlet>

   <!-- Maps short URLS to JSPs; also, detects webapp shutdown. -->
   <servlet>
       <servlet-name>WikiServlet</servlet-name>
       <servlet-class>org.apache.wiki.WikiServlet</servlet-class>
       <load-on-startup>1</load-on-startup>
   </servlet>

   <!--
       Attachment exchange handler.
     -->

   <servlet>
       <servlet-name>AttachmentServlet</servlet-name>
       <servlet-class>org.apache.wiki.attachment.AttachmentServlet</servlet-class>
   </servlet>

   <servlet-mapping>
       <servlet-name>AttachmentServlet</servlet-name>
       <url-pattern>/attach/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
       <servlet-name>WikiServlet</servlet-name>
       <url-pattern>/wiki/*</url-pattern>
   </servlet-mapping>

    <servlet-mapping>
        <servlet-name>WikiAjaxDispatcherServlet</servlet-name>
        <url-pattern>/ajax/*</url-pattern>
        <url-pattern>/admin/ajax/*</url-pattern>
    </servlet-mapping>

    <!--
        And finally, let us tell the servlet container which
        URLs should correspond to which XML RPC servlet.
        By default, this is disabled.  If you want to enable it,
        just uncomment the whole section.
    -->

    <!--  REMOVE ME TO ENABLE XML-RPC
    <servlet-mapping>
        <servlet-name>XMLRPC</servlet-name>
        <url-pattern>/RPC2/</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>XMLRPC-UTF8</servlet-name>
        <url-pattern>/RPCU/</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>ATOM</servlet-name>
        <url-pattern>/atom/*</url-pattern>
    </servlet-mapping>
    AND REMOVE ME TOO -->

   <!-- This means that we don't have to use redirection
        from index.html anymore.  Yay! -->
   <welcome-file-list>
       <welcome-file>Wiki.jsp</welcome-file>
   </welcome-file-list>

   <!-- Error pages -->
   <error-page>
     <error-code>403</error-code>
     <location>/error/Forbidden.html</location>
   </error-page>

   <!--  REMOVE ME TO ENABLE JDBC DATABASE
   <resource-ref>
       <description>
           Resource reference to JNDI factory for the JDBCUserDatabase.
       </description>
       <res-ref-name>
           jdbc/UserDatabase
       </res-ref-name>
       <res-type>
           javax.sql.DataSource
       </res-type>
       <res-auth>
           Container
       </res-auth>
   </resource-ref>
   <resource-ref>
       <description>
           Resource reference to JNDI factory for the JDBCGroupDatabase.
       </description>
       <res-ref-name>
           jdbc/GroupDatabase
       </res-ref-name>
       <res-type>
           javax.sql.DataSource
       </res-type>
       <res-auth>
           Container
       </res-auth>
   </resource-ref>
   REMOVE ME TO ENABLE JDBC DATABASE  -->

   <!--  REMOVE ME TO ENABLE JAVAMAIL
   <resource-ref>
     <description>Resource reference to a container-managed JNDI JavaMail factory for sending e-mails.</description>
     <res-ref-name>mail/Session</res-ref-name>
     <res-type>javax.mail.Session</res-type>
     <res-auth>Container</res-auth>
   </resource-ref>
   REMOVE ME TO ENABLE JAVAMAIL  -->

   <!--
       CONTAINER-MANAGED AUTHENTICATION & AUTHORIZATION

       Here we define the users which are allowed to access JSPWiki.
       These restrictions cause the web container to apply further
       contraints to the default security policy in jspwiki.policy,
       and should be suitable for a corporate intranet or public wiki.

       In particular, the restrictions below allow all users to
       read documents, but only Authenticated users can comment
       on or edit them (i.e., access the Edit.jsp page).
       Users with the role Admin are the only persons who can
       delete pages.

       To implement this policy, the container enforces two web
       resource constraints: one for the Administrator resources,
       and one for  Authenticated users. Note that the "role-name"
       values are significant and should match the role names
       retrieved by your web container's security realm. The roles
       of "Admin" and "Authenticated" are assigned by the web
       container at login time.

       For example, if you are using Tomcat's built-in "memory realm",
       you should edit the $CATALINA_HOME/conf/tomcat-users.xml file
       and add the desired actual user accounts. Each user must possess
       one or both of the Admin or Authenticated roles. For other realm
       types, consult your web container's documentation.

       Alternatively, you could also replace all references to
       "Authenticated" and "Admin" with role names that match those
       returned by your container's security realm. We don't care
       either way, as long as they match.

       Note that accessing protected resources will cause your
       container to try to use SSL (default port for Tomcat is 8443)
       to secure the web session. This, of course, assumes your
       web container (or web server) is configured with SSL support.
       If you do not wish to use SSL, remove the "user-data-constraint"
       elements.
   -->

   <!--  REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>Admin</role-name>
       </auth-constraint>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <url-pattern>/NewGroup.jsp</url-pattern>
           <url-pattern>/Rename.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>Admin</role-name>
           <role-name>Authenticated</role-name>
       </auth-constraint>

       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

   <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
           <form-login-page>/LoginForm.jsp</form-login-page>
           <form-error-page>/LoginForm.jsp</form-error-page>
       </form-login-config>
   </login-config>

   <security-role>
       <description>
           This logical role includes all authenticated users
       </description>
       <role-name>Authenticated</role-name>
   </security-role>

   <security-role>
       <description>
           This logical role includes all administrative users
       </description>
       <role-name>Admin</role-name>
   </security-role>

   REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH  -->

</web-app>
